Share via

AI/BI administration guide

This article describes the account and workspace-level administrative controls that can be applied to AI/BI products.

Manage dashboard and Genie access

Users are granted entitlements at the workspace level that control how they interact with the Azure Databricks workspace. See Manage entitlements for details about each access type.

Dashboards and genie spaces can be securely shared with the following user types:

  • Workspace users: Permissions are scoped to the workspace where they are a member. To access multiple workspaces, they must be added to each workspace individually. Their access is controlled by entitlements that determine how they interact with data assets.
    • With the Databricks SQL access entitlement: Users can create new dashboards and Genie spaces. Access can be granted to view, edit, and manage draft and published dashboards. Access can be granted to compute and Unity Catalog governed data.
    • With the Consumer access entitlement: Users can be granted access to published dashboards. Access can be granted to compute and Unity Catalog governed data. To learn more, see What is consumer access?.
  • Account users: Can be granted access to published dashboards with embedded credentials. Account users must be registered to your Azure Databricks account, but they do not need access to any additional resources or to be added to a workspace. Account users can be assigned as recipients for dashboards or Genie spaces across any workspace in the account. See Share a dashboard to learn more about published dashboards and embedded credentials.

See Manage entitlements.

Capabilities by access type

The following table summarizes the capabilities associated with each access type:

Capability Account member access Consumer access Databricks SQL access
View/run dashboards
View/run Genie spaces
Enforce row- and column-level security on view
Query SQL warehouses using BI tools
Access Unity Catalog-governed data through third-party BI tools
Read/write AI/BI dashboards
Read/write Genie spaces

Note

To allow account users to view dashboard data, dashboards must be published with embedded credentials.

Network considerations

If IP access lists are configured, dashboards are only accessible if users access them from within the approved IP range, such as when using a VPN. This applies to all users, regardless of whether they are assigned to a workspace. For more information on configuring access, see Manage IP access lists.

User and group management

All users registered with Azure Databricks belong to your Azure Databricks account. Registering a user in an Azure Databricks account establishes a verifiable identity that Azure Databricks can use for authentication when that user views a shared dashboard or Genie space. Organizing individual users into groups can make sharing easier for authors and editors. For example, an author can share with a single, named group instead of sharing with each user in the account.

Note

Users must have the appropriate data and compute privileges to interact with a Genie space, which can only be granted to workspace users.

Users can also share dashboards with any user, service principal, or group in Microsoft Entra ID using automatic identity management (Public Preview). After login, those users are automatically added to the Azure Databricks account. They are not added to the dashboard's originating workspace. For more information, see Sync users and groups automatically from Microsoft Entra ID.

Users and groups can have access to zero, one, or multiple workspaces. Authors can add users and groups to a People with access list to assign specific permissions, as with other workspace objects, when sharing a dashboard or Genie space.

For dashboards, they can configure Sharing settings with one of the following options:

  • Only people with access can view
  • Anyone in my account can view

If a dashboard is published with embedded credentials and shared with a specific user, group, or all users in the account, those users can access it regardless of whether they have access to the originating workspace.

The following image shows the relationship between users and groups at the workspace and account levels.

Account level SCIM diagram with dashboard sharing

No additional configuration is required beyond account registration. Users do not need to be assigned to a workspace or provided access to compute resources.

Manage dashboard embedding

Embedding allows dashboard users with at least CAN EDIT permissions to generate iframe embed code using the Share dialog. Workspace admins can manage which domains, if any, are approved for hosting an embedded dashboard. Dashboard embedding requires users to have third-party cookies enabled.

Workspace admin settings are open to the Embed Dashboards heading.

To set a policy that defines the domains where dashboards can be embedded, do the following:

  1. Click your username in the top bar of the Azure Databricks workspace and select Settings.

  2. Click Security.

  3. Scroll down to the External access section.

  4. In the Embed dashboards section, use the drop-down menu to set the policy for your workspace.

    There are three policy options:

    • Allow: Dashboards can be embedded in any domain.
    • Allow approved domains: Dashboards can only be embedded in sites that match the approved list.
    • Deny: Dashboards cannot be embedded in any domain.

If you select Allow approved domains, you can use this section to manage your list of approved domains by doing the following:

  1. Click Manage next to Embed Dashboards.
  2. Type a domain in the Approved domain dialog's text field. Click Add domain after each entry.
  3. Click Save.

Note

To embed your dashboard in a Google Site, you must allow mulitple domains owned and used by Google in addition to the address associated with your particular site. The required sites are:

  • sites.google.com
  • www.gstatic.com
  • *.googleusercontent.com

Tips for defining approved domains and routes

To specify allowed hosts, use the grammar defined in W3C's Content Security Policy documentation. The examples in this section illustrate some common patterns.

Allow subdomains

To allow all subdomains for a given domain, use a wildcard symbol (*) before the domain name. The following examples use *.databricks.com as a sample domain.

  • Matches: Any subdomain
    • some.databricks.com
    • app.databricks.com
    • anything.databricks.com
  • Does not match: Anything that has a different domain.
    • another-databricks.com
    • app-databricks.com

Allow specific URL paths

To allow all pages under a base URL, use a trailing slash (/) to represent the root directory. Subdirectories and additional paths will match.

The following examples use sites.google.com/some/path/ as a sample provided path.

  • Matches: sites.google.com/some/path/to/my/dashboard and sites.google.com/some/path/any-page.
  • Does not match:
    • sites.google.com/some/path. This example lacks the trailing slash and so is a different URL.
    • sites.google.com/some/other/path/to/my/dashboard. This example does not share the same base path.

Note

A URL without a trailing slash is treated as an exact match and omits subpaths.

Workspace admin subscription controls

Workspace admins can prevent users from distributing dashboards using subscriptions. Changing this setting prevents all users from adding email subscribers to scheduled dashboards. Dashboard editors cannot add subscribers, and dashboard viewers do not have the option to subscribe to a scheduled dashboard.

To prevent sharing email updates:

  1. Click your username in the top bar of the Azure Databricks workspace and select Settings.
  2. In the Settings sidebar, click Notifications.
  3. Turn the Enable dashboard email subscriptions option off.

If this setting is off, existing subscriptions are paused, and no one can modify existing subscription lists. If this setting is switched back on, subscriptions resume using the existing list.

Download controls

Workspace admins can adjust their security settings to prevent users from downloading dashboard and Genie space results using the following steps:

  1. Click your username in the top bar of the Azure Databricks workspace and select Settings.
  2. In the Settings sidebar, click Security.
  3. Turn the SQL results download option off.

Transfer ownership of a dashboard

Workspace admins can transfer ownership of a dashboard to a different user.

  1. Go to the list of dashboards. Click a dashboard name to edit.
  2. Click Share.
  3. Click the Gear icon. icon at the top-right of the Sharing dialog. Share dialog with gear icon
  4. Begin typing a username to search for and select the new owner.
  5. Click Confirm.

The new owner appears in the Sharing dialog with Can manage permissions. To view dashboards listed by owner, go to the list of available dashboards by clicking Dashboards Icon Dashboards.

Monitor AI/BI activity

Admins can monitor the activity on dashboards and Genie spaces using audit logs. See AI/BI dashboard events and AI/BI Genie events. For code examples demonstrating how to access audit log information to answer common questions, see Monitor AI/BI usage with audit logs and alerts.